Deb Radcliff interviews three red team hackers focused on OT and embedded systems.
A quick look at the OWASP Embedded Application Security Project Best Practice Guide reveals numerous vulnerabilities in code developed for OT and embedded systems, including but not limited to buffer and stack overflows, injection attacks, cryptographic signatures and firmware updates, third-party code components, and lax authentication and access controls.
To understand how these other vulnerabilities could result in serious risk to society, three red team hackers share some of their most chilling findings in critical infrastructure systems, and provide advice for shifting left on OT and embedded DevOps practices.
These experts include:
- Alexander Heid, fellow and VP of Threat Intelligence at SecurityScorecard and co-founder of the respected Hack Miami conference, who discovered an open administrative control panel to a municipal hydroelectric dam on the internet with no access control.
- James Bell, co-founder of Hack Miami, is an application and network security expert who works in financial, travel, telecom and other industries. He recalls finding an unauthenticated application terminal allowing him to upload firmware from live tractors and cranes, noting that a real bad guy could do dangerous things like dropping loads, but the easiest change would have been to just upload nonsense and brick building equipment.
- Bryce Case is a former black hat who focuses now on securing consumer and smart home devices. As he said, “You either die a black hat or move into being an app sec engineer.” His team routinely uncovers vulnerabilities in-home devices wherein they could remotely do a stack overflow through DHCP commands.
They explain why embedded and OT systems are more difficult to code to because of their small footprint, how microservices can be riddled with buffer overflows and other issues that can’t be fixed, how attackers can exploit the web servers, APIs, terminal sessions, and radio signals used to connect these devices, and how IoT and small devices often contain hard-coded passwords, and lack encryption to prevent man in the middle attacks.
They’re also hacking new transmission capabilities, including software-defined radio or SDR. Bell says his team has been able to replay attacks and open doors because these channels and the firmware they connect to are also unencrypted.
Open-source libraries supporting these low-code embedded systems are also fair game for attackers, such as the Java-based jQuery and legacy applications. Case adds, “Testing through static analysis and manual code review are good sanitization practices to have, but a lot of this is looking at the underpinnings of video transcoding, such as FFmpeg, GStreamer, and other open source projects.”